diff --git a/CHANGELOG.md b/CHANGELOG.md index 07761ec..39e5b9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +_Nothing yet._ + +## [2.0.0] - 2026-01-27 + ### Security - Updated `axios` from ^1.10.0 to ^1.13.2 to fix DoS vulnerability (GHSA-4hjh-wcwx-xvwj) @@ -14,35 +18,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added npm overrides for transitive dependency vulnerabilities: - `glob` ^11.0.4 (fixes GHSA-5j98-mcp5-4vw2 command injection) - `js-yaml` ^4.1.1 (fixes GHSA-mh29-5h37-fv8m prototype pollution) +- URL inputs are no longer fetched client-side; URLs are passed to the server to mitigate SSRF risks ### Changed -- Updated devDependencies to latest compatible versions: - - `@eslint/eslintrc` ^3.3.3 - - `@eslint/js` ^9.39.2 - - `@types/node` ^24.10.7 - - `@typescript-eslint/eslint-plugin` ^8.53.0 - - `@typescript-eslint/parser` ^8.53.0 - - `dotenv` ^17.2.3 - - `eslint` ^9.39.2 - - `eslint-config-prettier` ^10.1.8 - - `eslint-plugin-jest` ^29.12.1 - - `globals` ^16.5.0 - - `jest` ^30.2.0 - - `openapi-typescript` ^7.10.1 - - `prettier` ^3.7.4 - - `rimraf` ^6.1.2 - - `ts-jest` ^29.4.6 - - `tsup` ^8.5.1 - - `tsx` ^4.21.0 - - `typescript` ^5.9.3 +- Most methods accept URL inputs via `FileInputWithUrl` and pass URLs to the server for fetching +- `sign()` now only accepts local files (file paths, Buffers, or Uint8Arrays); fetch remote files first +- Updated devDependencies to latest compatible versions - Switched Jest coverage provider from Istanbul to V8 for Node.js 25+ compatibility - Excluded generated API types from coverage collection (reduces noise in coverage reports) +### Removed + +- Removed client-side URL fetching helper `processRemoteFileInput` from public exports +- Removed client-side PDF parsing helpers (`getPdfPageCount`, `isValidPdf`) + ### Added +- SSRF protection documentation in README - This CHANGELOG.md file to track project changes + ## [1.0.1] - 2025-01-09 ### Changed @@ -68,6 +64,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Comprehensive error handling with typed error classes - AI agent integration rules for Claude Code, Cursor, GitHub Copilot, Junie, and Windsurf -[Unreleased]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.1...HEAD +[Unreleased]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v2.0.0...HEAD +[2.0.0]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.1...v2.0.0 [1.0.1]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.0...v1.0.1 [1.0.0]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/releases/tag/v1.0.0 diff --git a/README.md b/README.md index b08e1f0..f9c91cd 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,10 @@ or yarn add @nutrient-sdk/dws-client-typescript ``` +## Migration Guides + +- v2.0.0: See `docs/MIGRATION.md` for URL input changes and `sign()` restrictions. + ## Integration with Coding Agents This package has built-in support with popular coding agents like Claude Code, GitHub Copilot, Cursor, and Windsurf by exposing scripts that will inject rules instructing the coding agents on how to use the package. This ensures that the coding agent doesn't hallucinate documentation, as well as making full use of all the features offered in Nutrient DWS TypeScript Client. diff --git a/docs/MIGRATION.md b/docs/MIGRATION.md new file mode 100644 index 0000000..e58b4e8 --- /dev/null +++ b/docs/MIGRATION.md @@ -0,0 +1,32 @@ +# Migration Guide + +## 2.0.0 + +### 1) URL inputs now use `FileInputWithUrl` + +`FileInput` no longer includes URLs. If you need to pass URLs, use `FileInputWithUrl`. + +```ts +import type { FileInputWithUrl } from '@nutrient-sdk/dws-client-typescript'; + +const input: FileInputWithUrl = 'https://example.com/doc.pdf'; +const result = await client.convert(input, 'docx'); +``` + +### 2) `processRemoteFileInput` removed + +If you previously used `processRemoteFileInput`, fetch the remote file yourself and pass a buffer. + +```ts +// v1.x (no longer available) +import { processRemoteFileInput } from '@nutrient-sdk/dws-client-typescript'; + +// v2.0.0+ +const res = await fetch('https://example.com/doc.pdf'); +const buffer = Buffer.from(await res.arrayBuffer()); +const result = await client.sign(buffer, { data: { signatureType: 'cms' } }); +``` + +### 3) `sign()` no longer accepts URLs + +`sign()` only accepts local inputs (file path, Buffer, or Uint8Array). For remote files, fetch first and pass a buffer. diff --git a/examples/package-lock.json b/examples/package-lock.json index f3315b1..28e76f1 100644 --- a/examples/package-lock.json +++ b/examples/package-lock.json @@ -8,7 +8,7 @@ "name": "nutrient-dws-client-typescript-example", "version": "1.0.0", "dependencies": { - "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-1.0.1.tgz", + "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-2.0.0.tgz", "dotenv": "^17.0.0" }, "devDependencies": { @@ -17,13 +17,13 @@ } }, "node_modules/@nutrient-sdk/dws-client-typescript": { - "version": "1.0.1", - "resolved": "file:../nutrient-sdk-dws-client-typescript-1.0.1.tgz", - "integrity": "sha512-5P9ig4in6b7CgXECoX25L+Gy+S3hr7frLrceTq9sNoT6Cmg+GgcMl5mX9eDMUT0JDEgXRNnS6Z57Cs3vy+j6aA==", + "version": "2.0.0", + "resolved": "file:../nutrient-sdk-dws-client-typescript-2.0.0.tgz", + "integrity": "sha512-dzujEBrNNb+h38sTogLeUjrQ4b1ES25OrzXJDgflC7QGkdWLqc3jE9Ivwjr6HnBg6ooTX0uE4gt/P8J97bmgtg==", "license": "MIT", "dependencies": { - "axios": "^1.10.0", - "form-data": "^4.0.4" + "axios": "^1.13.2", + "form-data": "^4.0.5" }, "bin": { "dws-add-claude-code-rule": "scripts/add_claude_code_rule.cjs", @@ -53,13 +53,13 @@ "license": "MIT" }, "node_modules/axios": { - "version": "1.10.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.10.0.tgz", - "integrity": "sha512-/1xYAC4MP/HEG+3duIhFr4ZQXR4sQXOIe+o6sdqzeykGLx6Upp/1p8MHqhINOvGeP7xyNHe7tsiJByc4SSVUxw==", + "version": "1.13.3", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.3.tgz", + "integrity": "sha512-ERT8kdX7DZjtUm7IitEyV7InTHAF42iJuMArIiDIV5YtPanJkgw4hw5Dyg9fh0mihdWNn1GKaeIWErfe56UQ1g==", "license": "MIT", "dependencies": { "follow-redirects": "^1.15.6", - "form-data": "^4.0.0", + "form-data": "^4.0.4", "proxy-from-env": "^1.1.0" } }, @@ -169,9 +169,9 @@ } }, "node_modules/follow-redirects": { - "version": "1.15.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.9.tgz", - "integrity": "sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==", + "version": "1.15.11", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", + "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", "funding": [ { "type": "individual", @@ -189,9 +189,9 @@ } }, "node_modules/form-data": { - "version": "4.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", - "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==", + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", + "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", diff --git a/examples/package.json b/examples/package.json index a35e080..0947980 100644 --- a/examples/package.json +++ b/examples/package.json @@ -10,7 +10,7 @@ "private": true, "dependencies": { "dotenv": "^17.0.0", - "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-1.0.1.tgz" + "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-2.0.0.tgz" }, "devDependencies": { "@types/node": "^24.0.7", diff --git a/package-lock.json b/package-lock.json index 2e27e6f..0d9c06c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@nutrient-sdk/dws-client-typescript", - "version": "1.0.1", + "version": "2.0.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@nutrient-sdk/dws-client-typescript", - "version": "1.0.1", + "version": "2.0.0", "license": "MIT", "dependencies": { "axios": "^1.13.2", @@ -76,6 +76,7 @@ "integrity": "sha512-H3mcG6ZDLTlYfaSNi0iOKkigqMFvkTKlGUYlD8GW7nNOYRrevuA46iTypPyv+06V3fEmvvazfntkBU34L0azAw==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@babel/code-frame": "^7.28.6", "@babel/generator": "^7.28.6", @@ -2404,6 +2405,7 @@ "integrity": "sha512-+054pVMzVTmRQV8BhpGv3UyfZ2Llgl8rdpDTon+cUH9+na0ncBVXj3wTUKh14+Kiz18ziM3b4ikpP5/Pc0rQEQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "undici-types": "~7.16.0" } @@ -2477,6 +2479,7 @@ "integrity": "sha512-npiaib8XzbjtzS2N4HlqPvlpxpmZ14FjSJrteZpPxGUaYPlvhzlzUZ4mZyABo0EFrOWnvyd0Xxroq//hKhtAWg==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.53.0", "@typescript-eslint/types": "8.53.0", @@ -2983,6 +2986,7 @@ "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", "dev": true, "license": "MIT", + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -3307,6 +3311,7 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "baseline-browser-mapping": "^2.9.0", "caniuse-lite": "^1.0.30001759", @@ -3904,6 +3909,7 @@ "dev": true, "hasInstallScript": true, "license": "MIT", + "peer": true, "bin": { "esbuild": "bin/esbuild" }, @@ -3968,6 +3974,7 @@ "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.1", @@ -4967,6 +4974,7 @@ "integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@jest/core": "30.2.0", "@jest/types": "30.2.0", @@ -7047,6 +7055,7 @@ "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", "dev": true, "license": "MIT", + "peer": true, "engines": { "node": ">=12" }, @@ -7176,6 +7185,7 @@ "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@cspotcode/source-map-support": "^0.8.0", "@tsconfig/node10": "^1.0.7", @@ -7301,6 +7311,7 @@ "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "esbuild": "~0.27.0", "get-tsconfig": "^4.7.5" @@ -7357,6 +7368,7 @@ "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "dev": true, "license": "Apache-2.0", + "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" diff --git a/package.json b/package.json index f3f8ecd..69cdbed 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@nutrient-sdk/dws-client-typescript", - "version": "1.0.1", + "version": "2.0.0", "description": "Node.js TypeScript client library for Nutrient Document Web Services (DWS) API", "keywords": [ "nutrient",